In 1986, Congress passed the Computer Fraud and Abuse Act (CFAA) as a means to address the growing problem of computer crime and, specifically, individuals engaged in computer intrusion and hacking. 18 U.S.C. § 1030. Among other things, the CFAA criminalizes accessing protected computers without authorization and also prohibits individuals who have authorized access to protected computers from exceeding the scope of their authorization. 18 U.S.C. § 1030(a). A protected computer includes those exclusively used by financial institutions and the government and those used in interstate commerce or communication. 18 U.S.C. § 1030(e)(2). Criminal penalties can reach up to 10 years’ imprisonment for a first offense. 18 U.S.C. § 1030(c). Additionally, after an amendment created a civil cause of action under the CFAA, 18 U.S.C. § 1030(g), employers have increasingly utilized the statute in civil suits against former employees accused of a range of improprieties committed on computers during employment, including former employees who accessed company computers to gain information for use in competing with their former employers.
The meaning of “exceeds authorized access” has come under increased scrutiny in the courts recently, with differing outcomes. Some courts have held that the violation of an employer’s computer-use policy could lead to a criminal violation under the CFAA, while other courts have rejected that view as too expansive.